Monday, January 24, 2011

An Interview With Ryan Pittman

I am pleased to present an interview with Assistant Special Agent in Charge Ryan Pittman of the United States Army Criminal Investigation Command’s Computer Crime Investigative Unit.  Ryan is one of the sharpest criminal investigators in the digital forensics field and is a very personable fellow. I had the good fortune to finally meet him in person at last year’s CEIC conference in Las Vegas and it was one of the highlights of my experience. As you will see from this interview, he’s very knowledgeable, down to earth, and is passionate about teaching others about digital forensics and information security. If you like this interview, you will also enjoy hearing him on one of the recent Forensic 4cast podcasts that Lee Whitfield hosted with Rob Lee, Ryan, and myself. 

Professional Biography of Ryan Pittman

Ryan Pittman is currently a Criminal Investigator (1811) for the U.S. Army Criminal Investigation Command’s Computer Crime Investigative Unit (CCIU) near Washington, DC, continuing a career of more than 12 years in law enforcement and forensic science. Special Agent Pittman previously served as a Digital Forensic Examiner for Stroz Freidberg, LLC; a Master Instructor for Guidance Software, Inc.; a Senior Forensic Analyst for Sytex, Inc.; and a Computer Crime Coordinator (as an active duty soldier) for the U.S. Army Criminal Investigation Command. He is currently a Ph.D. candidate with Northcentral University, after receiving his Master of Forensic Sciences from National University, his Master of Science in Management in Information Systems Security from Colorado Technical University, and his Bachelor of Science in Criminal Justice from the University of Maryland University College. Special Agent Pittman has taught for George Washington University, University of Maryland University College, and Central Texas College, among others, and has been invited to teach or speak about incident response, digital investigations, and computer forensics on five continents.

AFoD Interview with Ryan Pittman

AFoD: How did you get involved in digital forensics?

RP: I won't say it was by accident, but it certainly wasn't something I expected... I have been blessed in my career (and in my life, really) to have good mentors and people I trusted that took an interest in my success.

I started my professional life as a junior high school Spanish teacher, but during my student teaching decided I didn't have the patience for it.  I felt a calling to serve my country, and to a greater extent to do something "meaningful" with my career.  I didn't exactly know what "meaningful" was at that time, and some argued that being a school teacher was a noble enough calling, but I needed something more concrete and wanted to feel like I was contributing to the world each morning when I woke up. So in a stroke of brilliance (read: moment of insanity), I took a break from college and ran off and joined the US Army as a Military Policeman.

I immediately fell in love with law enforcement and everything we stood for: truth and justice, law and order, help and kindness. Yes, I was very naive at that time, but it was enough to keep me wanting more. I soon decided there had to be more to life than writing traffic tickets and busting heads at the club on Saturday night. Serving in Okinawa, Japan, a colleague named Clarence Lahl was the first to get me interested in investigations.  It was the logic of it that appealed to me, and the chance to try to prove that we were smarter and more tenacious than the bad guys.  I worked my way up, becoming a Military Police Investigator, and (as soon as I could) I joined the Army's Criminal Investigation Division (CID).  During this same time, I switched from an Education major to the degree that every good cop (mistakenly) believes will help him do his job better, Criminal Justice, and earned my B.S.

As a military CID Agent, I worked all manner of crimes from adultery (yes, it's a crime in the military) to wire fraud and everything in between. Every investigator soon figures out that they are better at some things than others and enjoy some aspects of the job more.  For me, it was crime scenes and physical evidence... I loved the science of it, the fact that measured and meticulous attention to detail could be the thing that blew a case wide open. I also liked the idea (even if it was a little naive - I am noticing a trend here) that there was a part of each investigation from which the "truth" could actually be divined, when the human aspect was at worst unrepentantly false and at best unreliable.  So, I thought the only way I could ensure I got to focus on what I liked best was to enroll in grad school, which I did and earned a Master of Forensic Sciences degree.

It was about this time that the profile of digital evidence began to grow and we began taking note of how computers could contain evidence of virtually any crime, not just traditional computer offenses, such as kiddie porn.  Where I was stationed at the time (Fort Hood, TX), I had the good fortune to serve with Jamey Tubbs and Jessica Bair (of Guidance Software fame), who were among the pioneers of computer forensics in Army CID.  They started a local computer crime program at Fort Hood, which allowed us to get our digital evidence examined locally, rather than having to send it off to our crime laboratory in Georgia.  I gave them a lot of business and picked their brains whenever I could. I saw digital forensics as an opportunity to specialize even further and deal with a particular type of evidence that was new and interesting (I love to learn new things!).  To be honest, I got tired of taking evidence, walking it to the back of the office, pushing it through the "secret door," and then not seeing it again until three weeks later when I got it back with a forensic report. I wanted to be on the other side of that door!

Jessica left the Army for Guidance Software and Jamey left to serve in Kuwait, but I took it upon myself to keep learning all I could about the discipline and the emerging science behind digital forensics. Despite my education and my interest, it was unlikely I would be able to convince CID to pay for formal training or allow me to work as a computer crimes guy; it was definitely still a niche in the Army at that time and there were plenty of other criminals that needed catching. But, fortune smiled on me again as I PCS'd to Kuwait to be Jamey's #2.  I guess Jamey took that as a sign... He had been a part-time instructor for Guidance Software for several years by then and got special permission to not only teach the EnCase Forensics Intermediate Course to a handful of us in Kuwait, but also to administer the written portion of the EnCE exam. So I took the course and the exam, qualified for the practical portion, which I also subsequently passed. As a newly minted EnCE, I began doing examinations on real criminal evidence and knew at that point that I had started on the path that would define the rest of my professional life.  So, that's how I got started, and the rest (as they say) is history.

AFoD:  In 2005, you made the decision to leave the Army and go into the private sector. Can you tell us what lead to this decision and what your professional life was like in the private sector during this period?

RP: I had reached the point in my career where I had a Master's
degree, tons of experience as a criminal investigator, and had been doing the digital forensics thing for a bit.  However, I was working in a organization that was VERY hierarchical, where a person's worth was determined by his rank, not by what he knew or what he could do. That is not necessarily a knock on the Army (because I have the Army to thank for most of the positive opportunities I've had in my career and making me a better person), but that is just the nature of the organization.  So, here is what I was looking at in late-2004:

1. I was freshly out of the Middle East (if you've never spent more
than a year away from your family in a combat zone, it is a character builder!) and had been told face-to-face by the CID Commanding General that I would most likely be headed back there in a year;

2. I was a Staff Sergeant (for those unfamiliar with the military, that is a middle-management, enlisted Non-Commissioned Officer rank). I had two choices for promotion... Either I could stay enlisted, which meant in most cases ceasing to investigate cases and probably not being allowed to do another forensic examination as I was turned into an admin guy (Detachment Sergeant, Evidence Custodian, etc.), or I could become a warrant officer and commit to another seven years in the Army;

3. I making less than $30k a year, working side by side with GS13s
from the FBI and other agencies and seeing the type of salaries being offered by private companies for forensic specialists. The combo of those three things made me want to get out (although, in a honest moment, it was mostly #3).  The problem was that I wasn't just going to step off active duty and step right into a GS13 Special Agent position somewhere, particularly not doing computer crime, so I decided to try my hand in the private sector.  Simultaneously one of the best and worst decisions of my life...

Before I even left the Army, I was lucky enough to secure a job with Guidance Software as an instructor (thanks in no small part to
endorsements by Jamey Tubbs and Jessica Bair). Then, with less than a month to go before I was to get out of the Army, I was "un-hired" due to a hiring freeze at the company. PANIC TIME! One of my colleagues at Fort Hood, Troy Asmus, made a couple calls on my behalf and found out there was a vacant contractor position at CID's Computer Crime Investigative Unit (CCIU). I applied, got picked up, and was off to D.C.

At CCIU, it was a brave new world... It was a gig doing hacking and
intrusion investigations (or, in my case, forensic exams) and this was a watershed moment for me. I had never worked intrusions before, and so I approached it the same way I approached the type of computer forensics with which I was most familiar.  But, as you know, intrusion investigations are generally not anything like your garden variety child porn exam; it is a whole different league!  I spent almost six months going to work HATING my job. I felt stupid and worthless and like I was a waste of space. I got ripped in private meetings with my boss on an almost weekly basis and I was scared to death that I'd be fired (a feeling I'd never had before).  It wasn't that I wasn't working hard, or that I wasn't doing good work, it was that I didn't have enough experience to do the RIGHT work. But, I made it my mission to contribute the way I knew I should... I spent very long days, hours and hours in self-study, gobbling up anything I could read about intrusion forensics, and paying a lot of attention to a colleague that would become both an important mentor and best friend, Dave Shaver. And suddenly... The light bulb came on! I went from non-entity to ninja in a blink! It felt like it was overnight (even though it was the result of lots of hard work), and intrusion investigations and examinations became the most fun I'd ever had doing forensics. I knew right then that I'd make the rest of my career in the network security and intrusion forensics field if I could help it. CCIU began offering GS13 Special Agent positions as they transitioned to a civilian organization within CID. I applied and got hired, but in a case of career deja vu I got un-hired again as the Army pulled all the positions back.

About that time, Bob Weitershausen (another one of those great mentors I mentioned) at Guidance Software let me know that they lifted their hiring freeze and I was back in the saddle with GSI. I took over the network intrusion curriculum from Lance Mueller (who is brilliant, by the way) and spent the next two years living the life of an itinerant digital forensics instructor.  This was probably my favorite period in the private sector... I worked with good people, I got to share my passion for our discipline with eager students, and (most importantly) I got time to research, experiment, and play. No job is better in our field than one that gives you freedom to grow as a professional, doing something you love. After GSI made their public stock offering, my personal philosophy and that of the company's began to diverge so I reluctantly left. It was an amicable parting, and I joined a firm where I could get back to being a "doer" not just a teacher.

This firm had a great reputation, and backed it up with some of the most competent forensic professionals with which I had ever worked; among them was the great Eoghan Casey (reference aforementioned "mentorship" theme).  My time there was bitter sweet and formed my general view of private sector gigs: great people, awesome money, no quality of life.  I felt owned, and after about three months I already knew I'd have to make a change or risk insanity. I couldn't take the demanding, sometimes demeaning, holier-than-thou clients anymore and doing so much civil work made me feel kind of icky.  It just wasn't in my DNA... I kept a lookout on USAJobs for a federal law enforcement position to open up, and was thrilled when one opened up back at CCIU.

Although I now know I am happiest in the government, I am extremely grateful for my time in the private sector, and I would recommend it to anyone who has never known anything but government service. There was more good than bad, and the three years I spent outside the government were worth their weight in gold:

1. I gained valuable experience with many more aspects of digital
forensics (e.g., civil litigation, eDiscovery, etc.) than I otherwise
would have if I had stayed 100% govie.

2. I was able to up my reportable salary number.  If you've ever been job hunting, you know that they always want to base your salary on what you made before, so the higher you can legitimately push that number the better shot you have at keeping it where you want it when you change jobs.

3. I became more appreciative... More appreciative of having a job in a bad economy. More appreciative of what a huge difference quality of life makes in job satisfaction. More appreciative of how a supervisor can make or break an employee (have to fill the ol' leadership toolbox!).

4. I made contacts and grew my professional circles. I cannot
overstate how important the people are that you meet along your path. You never know when someone is going to reach out and give you a hand up (which is always nice), but then being able to reach out your hand and offer help to another is the best!  Not to mention all the awesome people I had the extreme good fortune to learn from.

5. I also learned a lot about myself... I learned which digital forensic specialty appealed most to me. I learned I liked to teach as well as do.  I learned I am happiest in the government. And, I learned that money isn't everything.

AFoD: One of the things that is apparent from your career is that you have a keen interest in teaching. In 2007, you started work on a PhD and a couple years later you began a new role on the side as an associate professor. Can you tell us about your work in the academic world? I'm curious about your research interests as well as what you are teaching your students.

RP: I do have an interest in teaching and try to scratch that itch
whenever I can... I don't know if it comes from my time as a junior
high teacher earlier in my career, but I love the opportunity to talk with people who are as enthusiastic about our field as I am.  You just can't teach passion, so anytime you meet someone who has the drive and the enthusiasm, adding the know-how is the easy (and fun) part.  I broke into teaching at the college level as a Criminal Justice instructor at a community college (before I had even finished my own B.S.). It whet my appetite for not only sharing experiences with others interested in breaking into CJ but also stimulated my own appreciation for how important continuous and life-long learning is to our competence and effectiveness as professionals. That small start led to extensive graduate work, and additional teaching gigs for universities such as George Washington University and University of Maryland University College.  I've never really been an "academic," as
I am a full-time practitioner and teaching has always been an
as-time-permitted thing (except during a stint as a Master Instructor for Guidance Software).  But, as institutional education becomes much more available than it once was in computer forensics, there are greater opportunities to contribute to and formalize the cannon of our art/science.

I know this feeling is not unique... When I think of the folks in the
computer forensics field, most of the professionals that we hold in
the greatest esteem (or that at least get a lot of pub!), such as Eoghan Casey (Johns Hopkins), Brian Carrier (Purdue), Jesse Kornblum (Naval Academy), and Kevin Mandia (George Washington) just to name a few have all felt the call to teach.  I'll be the first to admit that I am not even fit to be mentioned in the same breath as these guys (heck, I'm lucky they even let me in the same room at conferences!), but they absolutely have the right of it: we will not get anywhere without doing our part to help the next Eoghan Casey or the next Eric Huber.

Good digital forensics programs in academia are still a little hard to come by...There are small pockets of excellence that exist at numerous institutions around the country, as colleges and universities have begun to realize that such courses can be cash cows; however, these courses are mostly the product of great professionals in our field giving focused effort to single offerings (don't get me wrong, this is very important).  But, until we get more programs focused on our speciality, and specifically move the level of that focus "up" (into the realm of serious doctoral work), I think we will continue to be mired by half-formed efforts designed to capture the latest trend in education by treating it as a spin-off of an IT or CJ undergrad degree.  The institutions that are getting more serious about offering digital forensics degrees (or have already taken great strides, such as UCF and Champlain) are successfully asking one very crucial question: "What do our graduates need to know how to do when they leave us?"   I had a large part recently in re-authoring two computer forensics and cyber security courses for UMUC, a project which was undertaken with that question in mind.  The reason this is so critical, in my view, is that we are a "DO"-oriented profession.

This is one of the key things I try to impress upon my students... It
is not enough to know, or even to teach.  We are not psychologists seeking to satisfy our academic curiosity about the long-term effects of not owning a pet, or biologists that observe the migratory patterns of the tripod fish and say "Hmm, that is interesting."  Knowledge without application is wasted!  Our field moves too fast, and the proper application of our discipline (even in research arenas) can have an immediate impact on people's lives... This is of course true of many forensic disciplines, but the speed at which digital technology changes and evolves makes it all the more critical in digital forensics.  The other thing I try to inculcate in my students (as I previously mentioned) is a passion for digital forensics and investigations. I want to get them excited! I want to get them pumped! I want them to get a small taste of what its like to break a big case wide open and catch the bad guy because they found the proverbial needle in the haystack as a result of their foo.

My philosophy is that I'll leave being brilliant to the Caseys and
Carriers...My job is to be the best practitioner I can be, to share my experiences with others if they are interested (mostly so they can learn from my mistakes!), and be an advocate for our profession when I can.  With that said, I do have some research interests, but you'd probably be disappointed with how unsophisticated they are.  I am doing a lot of work currently pertaining to the nature of the insider threat to U.S. Army systems, particularly as they relate to criminal incidents.  The amount of resources (time and money) spent on investigating and remediating  computer systems that theoretically should be among the easiest to control and lockdown (because of the nature of control in a military organization) is staggering, and there has to be a way to better address this issue without breaking the bank.  Other research interests include memory analysis (but who among us doesn't want to find out how to do this better, right?) and finding better and more clever ways to deal with the Trojan virus defense raised by suspects in DF cases.  Other than the insider threat work that is ongoing for my dissertation, I pick the other stuff up when I can and do an experiment here or some testing there. Eventually I'll get enough together that I publish a journal article in my spare time (whenever that is). ;-)

AFoD: One of the most self-destructive and limiting attitudes someone can have is to think, "Because I don't know everything, I don't know anything." I had to get over that attitude myself before I could work up the courage to do things like start a blog or teach people at a conference. It's easy to accept the fact that I'm never going to be someone who works at the level of an Eoghan Casey or Jesse Kornblum. Genius isn't common. It was harder to accept that I could still contribute even though I wasn't as gifted as those guys, but here we are talking so we both clearly got over it.

One of the reasons why I decided to swing for the bleachers and interview Richard Bejtlich for the first AFoD Blog interview was because I'm fascinated why our top level people got into digital forensics. People like Richard, Jesse, Eoghan, and yourself would excel at anything they were passionate about. I'm curious about why these people picked digital forensics rather than another field. What sort of people are you finding being attracted to digital forensics? Are there any sort of commonalities that you are seeing in your students?

RP:  You are very right that this can be kind of a rough field in which to draw attention to yourself... People often think they don't have anything to contribute, just because they've only been at it a couple years, or because they are still learning things on a daily basis themselves.  But, what they don't know is that we all are! Another deterrent is the fear of looking silly or having (perceived) knowledge limitations exposed for others to see.  It's kind of funny that you mention Richard Bejtlich in the same vein as "Because I don't know everything, I don't know anything."  I have enormous respect for Richard, although I've never had the pleasure of meeting him, and I think Real Digital Forensics is one of the best books (if not THE best) available on its subject.  Richard submitted the only review of less than 5 stars on Amazon for Eoghan Casey's book Handbook of Digital Forensics and Investigation, for which (as you know) I was a contributor.  As the basis for his less than perfect review, he called out my chapter specifically as one example of what he felt was a lack of coherence or overarching investigative scenario throughout the book as a whole.  I... was... crushed!  Not only did someone have something negative to say when I put myself out there, but it was someone who I told myself I was striving to be like...  I had to take step back and realize I was being silly.  He didn't attack my science or my knowledge or my skill; he just didn't care for the way it was presented.  I don't know everything about forensics, FAR from it, and I'm not afraid to admit it; but beyond that, even if Richard hated everything about my work, and called me a cotton-headed ninnymuggins, it wasn't going to affect my law enforcement career or the fact that I'll keep trying to be more knowledgeable tomorrow than I am today.  Once I got that through my head, I saw his comments for what they were, well-intentioned and meant to inform and guide, not to cast stones.  For those folks that remain crippled by this professional anxiety, they just have to remember that EVERY SINGLE MEMBER of our community has something worthwhile to offer the field, even if it is just as a sounding board for the Forensic Gods (that's right, I am pointing at you Casey, Bejtlich, Carvey, Carrier, and you others, you know who you are!) that move us forward. But I digress...

The folks that get into our field, in my experience, can be grouped, but each person seems to have their own motivations.  Generally, my students that are attracted to computer forensics seem to come from two primary areas of interest (not surprisingly): information technology/security and criminal justice.

The IT/IS folks are by far the more tech savvy, and as Rob Lee (or maybe it was you?) recently mentioned during a Forensic 4cast podcast, these are the folks that are way ahead right now as far as being ready to jump into computer forensics when they graduate.  I find my IT/IS students can be divided even further: those that are hardcore computer nerds (not a bad thing) and those that got into IT because it promised good jobs.  The computer nerds like forensics because of the added challenge it presents; it is an intellectual stimulation and provides opportunities for research, experimentation, and innovation that are not as often found in an Information Management position.  The ones that pursued a technology education because of the jobs are mostly looking for some way to stand out, to distinguish themselves from the crowd.  They are driven and look at the sea of IT bubbas that they're in school with and have already flowed out into the world, and they want to find a niche that will give them a competitive edge in the job market (plus, many of them have friends that have told them about the
sweet salaries to be made by folks that are good at digital forensics).

My CJ students are a different animal entirely.  For most of them,
computer forensics is a "hey, that sounds cool" schedule choice rather than a career path.  They seem to be less motivated by the science of it and more drawn to the "cool" factor.  But, if we do our jobs as teachers and ambassadors, many of these folks love what they're exposed to and decide to try to specialize (again, often lured by discussions of higher salaries for people that get good at it).  For these folks it is also less about challenging intellectual pursuit and more about some aspect of how this specialty can help them serve (e.g., protect kids, guard national security secrets, etc.).  These folks don't see themselves protecting a large corporate enterprise for a living, but rather chasing bad guys and putting them in jail.  They have studied victimology and criminology rather than SQL programming and IDS configuration.  In general, these folks are slower to filter into our field than the IT/IS graduates because the learning curve is more severe.  But, once these folks reach a level of proficiency, they are among the most talented and driven practitioners you'll ever meet.

AFoD:  I'd certainly fall in the criminal justice end of things when
it comes to starting point. I went from traditional physical law
enforcement into the private sector where I started to learn digital forensics by doing it.  I have a pair of liberal arts degrees rather than anything technical. I frequently wonder if I could do it over again, would I take the same path into forensics?  I suppose it would have been much better from a technical standpoint if people like you and I had started our educational lives studying computer engineering, computer science, or a similarly technical path. However, I also think people like us get quite a bit out of our formative years whether that's pushing a blue and white around in my case or working as a general criminal investigator in your case. What would we have lost if we hadn't taken the paths that we did?

One of the things I've learned is that teams get considerable benefit out of blended experiences and backgrounds so it's probably good that the community has a certain amount of people like us along with the technical intellectual giants that we've been talking about during the course of this conversation. So let me ask you this: What did you learn from those pre-digital forensics days as a general criminal investigator that helped craft you into the first rate digital forensics person you are today?

RP: Although I am flattered, Eric, I think it's stretch to call me
"first rate."  I just try to use the Finding Nemo philosophy... "Just
keep swimming..."

You know, I don't know if I would take the same path if I had it to do over again... I think the criminal justice experience is very valuable and now I wouldn't trade it for anything, but it was just so much gosh darned work! As these topics get more publicity and attention (thanks in large part to people like you), it seems that there are quicker ways to get from A to B academically, if not experientially.  It is certainly a different type of person, I think, that comes from this background (meaning, the bottom-up law enforcement route) and is now slinging bytes than a person that comes from an IT background.  It's a strange sort of maturity and complexity of character honed by diversity of experience that cops-turned-squints have, which it seems some science-only folks lack. That is not to say that non-law enforcement forensics guys and gals aren't great, in fact the opposite is true, as they are often fantastic and are more likely to be the scientific game-changers in our field. But, there is just something about a forensic examiner who has that depth of experience in other disciplines, I just can't put my finger on it...

I think there are two primary things I learned from those early, pre-examiner experiences as a general crimes guy that help me as a computer crime investigator and forensic examiner: 1) You have to appreciate non-technical perspectives on a case and 2) Sometimes you have to make intuitive leaps.

1. Non-technical perspectives.  Sometimes, as examiners, we lose touch with the fact that we may be the only ones who understand the data.  I work plenty of cases where the only forensics being done on any physical evidence is digital forensics.  People outside of my exam don't understand the process and they won't understand the findings unless they are put in the proper context.  This leads to other investigators, lawyers, and sometimes even the media asking what seem like idiotic questions about whether or not an exam is finished yet or why I can't tell them definitively that X, Y, and Z occurred.  I mean, these are frustrations that we've all experienced, but I was once part of the unwashed masses wondering why the damned computer forensics on my murder case were taking so long.  Now, I have the benefit of
perspective and have the ability to take a step back out of my forensic work and look at the situation from the point of view of the investigator or the attorney or the general public.  It helps me keep my cool when I just want to lose it on the next poor schmoe that calls and asks about his exam.  Also, it helps when I am writing my reports to remember what I would have wanted to know as the investigator, which often leads to a Bottom-Line-Up-Front (BLUF) that distills the findings down to easily digestible, concise language that is actually of benefit to the requester of the exam rather than pages and pages of techno-babble.

2. Intuitive leaps.  As scientists we often try to avoid intuition at all costs. We have this notion that everything is observable, everything is provable, everything is there, we just have to find it. The problem in digital forensics is that there are always gaps.  There are gaps in our knowledge and experience, there are gaps in timelines, gaps in available evidence, and sometimes it seems like we have more gaps than goodies.  What separates the good examiners from the great examiners is often what a lot of good cops do as a matter of habit, make intuitive leaps that can be tested and either shown to be true or proven to be a dead end.  We have to follow the breadcrumbs, but most often the line is broken and it sure enough isn’t straight.  As a general crimes guy, I learned that not everything is black and white, not everything is straightforward, and one clue does not always lead to the next.  You have to be able to develop scenarios for which there might currently be little support in order to take that next step of discovering where that support materializes.  Many examiners I have met follow the breadcrumbs and then just stop when the directly related digital clues seem to cease.  But, when others are met with this wall, they speculate, they innovate, they problem solve, and they spin a case in their minds like a metaphorical Rubic’s Cube looking at it from every angle in order to wring every last drop of forensic-y goodness out of it.  When these intuitive leaps pay off, they pay off big, and when they don't they just cost time.  Yet, so many examiners struggle with this. I am no exception... It is something I learned to do early on in my career, but it is a difficult skill to keep sharp.  I struggle with this on EVERY case, but I like to think those skills I practiced as a GC guy form a solid foundation.  Look, sometimes the data really is telling us more than we think.

AFoD:  We spend a lot of time as a community doing what we've done with our conversation here which taking about how to enter the community and land that first job. As we both well know, that's just the start of the learning process. We've both been involved in digital forensics for a long time and one of the things that has been a constant has been the increasing complexity of our jobs. When I first started, the primary area of focus for the community was relatively narrow in that Windows as the dominant operating system for both corporate and private purposes. Sure, there was a certain amount of other operating and file systems in the business and academic worlds, but taken as a whole it was Microsoft's world in which we lived in. That meant that a digital forensics person could be very employable with a strong grasp of just the Windows family of operating systems and just a few file systems like FAT and NTFS.  With the resurgence of Apple and the advent of the mobile device era where there are many strong players like Google and Nokia involved, we're in a very different world now. Microsoft's products are still a strong component of our lives as digital forensics people, but we now have to learn many more operating systems and file systems so that we can meet increasingly complex customer demands.

How does Ryan Pittman keep his digital forensic edge sharp in light of all of this change and increased complexity?

RP:  *drama warning* Oy...! Changing technology is the bane of my existence.  Things stay the same just long enough to get really good at them, and then they go and change the rules. It is usually some song and dance about making money, or whatever, but as we both know they never leave well enough alone.  As a consumer, the changes and improvements in digital technologies are fun and exciting, but as a forensic examiner, it just means more heavy lifting... Haha!

It isn't quite as bad as all that, but it is a double-edged sword. It can be a struggle to keep up because we have to be generalists of our discipline (I can't afford to focus just on memory forensics or Macintosh file systems), but what keeps me interested in this field is all the new stuff, fun challenges, and research opportunities.

So, since the world never stops turning, and Bill Gates, Steve Jobs,
and the Linus disciples never stop innovating, I have to accept the mantra "learn or die."  The first tool in my battle against obsolescence is reading... Everything I can get my hands on in our field. I look for the latest works by the biggies that I've come to trust, like Casey, Carvey, Bejtlich, and Carrier.  Then I read trade publications, like the Digital Investigations journal (for which I am also a reviewer, so I get to see a lot of the concept stuff too, even before it hits the printed page, which is AWESOME!).  Then I read blogs, and there are plenty to choose from. I like Harlan Carvey's blog, Lance Mueller's blog, the SANS blog, and Hogfly's blog.  And, catching podcasts like CyberSpeak and Forensic 4cast  is also very helpful.  Beyond that, it is just trying to keep my ears open for anything else that sounds cool... Trying to talk to smart guys like you on a regular basis helps too.

After trying to absorb all the printed (or broadcast) material I can get, it is about motivating myself to do research and testing.  I mean, if you've ever asked yourself a question like, "I wonder what actions will cause the timestamps for the .Trashes file on a  thumb drive to update," then you have a question begging for an answer. Research doesn't always have to be in a lab environment, and it doesn't have to solve world hunger.  It just has to be about, "I wonder if..."  Sometimes the small, easy tests you can perform in 15 minutes or less can be as personally rewarding as a giant six-month research project.  The best tests are the ones that result in knowledge you can apply immediately.

Last, I try to write or present whenever I can.  Putting stuff out there and having others in our field look at it is great motivation for trying to make sure your $#!~ is straight, particularly when you're writing about a new technology, technique, or artifact.  To get the benefits of this, you don't have to write a book or even an article... Go to a conference and make a presentation, teach a lecture course at your local college or university, guest write an entry for your favorite forensic blog, or look for opportunities to write portions of policy for your own organization or start innovative programs.

In short, it can be exhausting! But, we push forward because we love it and we are gluttons for punishment. And because we are all in it together...We all want to get from A to B, and when a new version of Windows comes out, we're all going to need to get from A to C.


  1. Fantastic. This is going to be required reading for my students. Thanks Ryan and Eric. BTW, I was in that same lecture at CEIC 2010!

  2. Thanks so much for sharing your personal and professional journey. It is honor to know you and to have worked with you!
    Jessica Bair

  3. Ah, Jessica... You have that backwards; it is an honor to know YOU and call you my friend. You've been a guiding force in digital forensics for a long time, and I am proud to call you one of my mentors.

  4. The passion for his work is great.
    I remember Ryan as a very competent teacher in The Netherlands and US.

    Nice reading about a great friend.
    Thanks Ryan

    Cees Pijnappels
    Police Region Brabant-North
    Department for Organised Crime
    Computer Forensic Investigations